Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT

Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT

[Gordan Bobic]

Hi,

I am trying to write a configurable userspace packet filter for handling huge 
numbers of complex rules (I need it for hundreds of thousands of rules). The 
problem that I am finding is that the libipq only seems to offer ACCEPT and 
DROP verdict targets for userspace filters.

Is there a way to set REJECT or TARPIT as targets? I ask because it is nice to 
respond with REJECT to non-hostile hosts so that they don't get tied with 
connections when DROP is used. Similarly, it would be nice to be able to 
TARPIT the hostile hosts to slow them down. At the moment, the only way I can 
think of to handle this is to set a DROP verdict but then send out a custom 
made raw packet using something like libnet, but this would rather complicate 
the code I am developing (but if it's the only option, so be it, I guess).

Finally - is there a way to practically handle TARPIT in a resource-cheap way 
when conntrack is used? My packet filter needs to operate in a NAT 
enfironment, so conntrack is not something I can avoid using.

Best regards.

Gordan

Re: Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT

[Henrik Nordstrom]

On Fri, 17 Dec 2004, Gordan Bobic wrote:

> Is there a way to set REJECT or TARPIT as targets?

No, only the netfilter primitive targets are available from userspace.

But there is patches allowing you to return a nfmark from your queue 
application, which can then be used in further processing using iptables.

Regards
Henrik